Enterprise attestation query

44 views
Skip to first unread message

Ujjwal Roy

unread,
Jan 8, 2026, 1:28:52 AM (23 hours ago) Jan 8
to FIDO Dev (fido-dev)

Hi All

I have a few questions regarding the enterprise attestation feature for authenticators as outlined below:

  • Enterprise attestation may include uniquely identifying information. Does this attestation need to be unique for each individual authenticator or can an enterprise/vendor issue a single attestation for a batch of authenticators using a common enterprise key and certificate, similar to basic attestation (as currently expected by the conformance tool)?
  • Are there established mechanisms for implementing this feature or do enterprises/vendors have the flexibility to decide how to implement it?
  • If the enterprise attestation must be unique for each individual authenticator, does this require the use of chip-specific enterprise keys and certificates?
    • If that is the case, is there specific guidance on implementation such as including the chip serial number in the certificate?

 

Regards,
Ujjwal Roy

Shane Weeden

unread,
Jan 8, 2026, 3:38:32 AM (21 hours ago) Jan 8
to Ujjwal Roy, Dev FIDO
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/cf86df89-7a2e-4974-bcec-7c0651369b0en%40fidoalliance.org.

My1

unread,
Jan 8, 2026, 3:45:14 AM (21 hours ago) Jan 8
to Shane Weeden, Ujjwal Roy, Dev FIDO

Here it says also that it MAY include uniquely identifying info. 
RFC2119 defines may as in that this is free to choose. 

So I'd guess theoretically an EP may have info to identify individual ones but you could theoretically also use a batch thing if you only want to define them as the tokens for your company specifically. 

favicon.ico
Reply all
Reply to author
Forward
0 new messages